1. Raise awareness
First of all, do all your staff know there will be changes to data protection on 25 May? You can start by sending some introductory guidance, giving staff a chance to understand terms such as "personal data" and "data processor".
See our "What is GDPR?" guide for an overview of the changes.
2. Begin data mapping
Data mapping (essentially a data audit) is the most important step in the journey to GDPR compliance. By the end of this process, you have to be able to answer what personal data – both analogue and digital – you hold, where it is and be able to explain why you hold this data.
To learn more about data mapping, see our compliance guide.
3. Ensure up to date privacy notices and data protection policies
This stage in the compliance process is about looking at your current privacy and data protection policies and introducing any changes if they are needed.
To learn more about how policies will need to change, see our GDPR for leaders guide.
4. Establish a data breach process
A data breach can lead to your school being sanctioned – or worse, fined – by ICO for not complying with the new data protection requirements. It is essential to have a clear process to follow in the event of a breach. For example, do staff know who to contact if a breach takes place?
Learn more about how to respond to data breaches.
5. Complete staff training
Training is one of the most important stages of becoming GDPR compliant. There is little point having policies in place and going through all your risk assessments if you don't tell staff what they need to do and why. By the end of this process, staff should fully understand their obligations under the new changes.
Learn more about training for GDPR.
6. Appoint your DPO
Data protection officer (DPO) is a new role introduced under GDPR. All schools, except independent schools, will need to have a designated DPO. The person who takes on the position advises the school on the regulations, monitors compliance, is the first contact in the event of a breach and must not have a conflict of interest.
Learn more about how to choose the right DPO.
7. Get up to speed with individual rights
Giving more power to individuals over their data is one of the mainstays of the new regulations. Whereas previously, an individual could just ask to see or have amends made to data, a lot more options are now available, including the ability to object to processing or have their data erased. Would you be able to deal with one of these requests?
8. Have a plan for subject access requests
Subject access requests are nothing new for schools, but under GDPR you now have a one-month limit to respond. How ready are you to respond to a subject access request and what processes are in place to ensure you know when one is made?
Learn more about subject access requests.
9. Review consent processes
Schools will require consent for any processing activities, a task schools are well used to. However, does your consent policy conflict with the new rules under GDPR? If so, it will need to be changed.
Learn more about consent.
10. Be aware of age verification issues
Once a child is 13, they no longer need parental consent for any data processing activity. With this change in mind, what processes do you have in place to deal with it? ICO advises: "You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity."
Learn more about age of consent.
For more check out our GDPR glossary of terms